VPN and Block private networks and loopback addresses
-
Hello everyone (I use google translator sorry for my english),
I'm new to PFSENSE, maybe it's been asked so many times but I don't understand if my configuration is safe:
FRITZBOX ROUTER 192.168.179.1
PfSense connected to LAN1 (exposed host) 192.168.179.20
LAN pfsense 192.168.1.0In order to use OpenVpn I have to disable "Block private networks and loopback addresses"
it's correct? Are there any risks?
-
@jordanet
That shouldn't be necessary at all.
If OpenVPN (or any other inbound connection) doesn't work with blocking private networks, but does if it's disabled, while the filter rule allows access from "any", the FritzBox does masquerading on inbound traffic, which is a security risk.There might be an option to disable masquerading.
-
@viragomann Thanks for the reply.
I did a test:
from smartphone open VPN works (in the logs I see IP of the android connection)..instead from the home connection the ip 91.1xx.xxx.xx is converted into a private ip 10.2xx.xxx.xx
from the firewall logs I see this private ip coming and not the public ip of my router, So the problem is from my home router
-
@jordanet said in VPN and Block private networks and loopback addresses:
from smartphone open VPN works (in the logs I see IP of the android connection)..
instead from the home connection the ip 91.1xx.xxx.xx is converted into a private ip 10.2xx.xxx.xxAre both connections coming from outside into the routers WAN?
And which network does 10.2xx.xxx.xx belong to?
Since the FritzBox has 192.168.179.1, this IP has nothing to do with masquerading.from the firewall logs I see this private ip coming and not the public ip of my router
Which private IP do you see in the logs?
You should not see the routers public IP, but that one of the client.
-
Work:
ISP public ip: 62.xxx.xxx.xxx
->fritzbox : 192.168.178.1
pfsense exposed host connected LAN1 Wan ip 192.168.178.20Home:
first I had FTTC fiber and I used 2 fritzbox work at home for IPSEC vpn, then they activated FTTH and I connected the fritzbox to the Huawei OPTIXSTAR FTTH router to maintain the IPSEC vpn… pfsense I recently installed it at workI left the home fritzbox in router mode so it has the firewall active and IP-Masquerading
I've been going crazy with pfsense and VPNs for 3 days (IPSEC, WIREGUARD, OPENVPN)
later I go home and unplug the fritzbox or change the "router mode" so the firewall functions are deactivated
-
@viragomann
thanks it helped me to understand the problem, when you wrote "masquerading" I understood what to look for -
WORK:
ISP public IP 62.9X.XX.X
Fritzbox ip: 192.168.179.1
Pfsense WAN 192.168.179.20
Lan 192.168.1.0HOME:
(i have removed fritzbox)
ISP ip 91.xxx.xxx.xx (shared i see on myip.com)
Huawei router: 192.168.178.1
Lan: 192.168.178.0but i see in wan information in the huawei router:
ip acquisition mode PPPoE, ip adrress/subnetmask 10.25x.xx.6 / 255.255.255.255If I try to connect to the work vpn in the logs I can't find the wan address (91.xxx.xxx.xx) but that damn private ip 10.25x.xx.6
at work the ip is public, in the home connection it is shared. the connection isp is the same for both locations.
maybe this is why the private ip arrives, because I use the same ISP?
-
@jordanet
No, you only get a private IP from your ISP at home. It's a sort of CG-NAT, but the ISP provide a wrong network address range.Huawei router:
I guess, it's a mobile internet router like an LTE modem / router. It's quite usual that you don't get a public IP in mobile networks.
ISP ip 91.xxx.xxx.xx (shared i see on myip.com)
This is the public IP of the ISP router.
Without a public IP, your home network sadly is not accessible from the internet. You can only make outbound connections.
-
@viragomann not use mobile at home but fiber FTTH the router is Huawei OptiXstar EG8145X6
I think the problem is that I use the same ISP for both home/work connections and the traffic goes internally.
if i browse my website and look at the stats i see 91.xxx.xxx.xx instead if I try to connect to the vpn the traffic goes internal and I see ip 10.25x.xx.6 in the log pfsense..if I allow private networks on pfsense is it dangerous?
-
@jordanet
Yes, it's possible that the ISP routes the traffic inside his network and hence you see the private IP.
But it seems odd to me that he does this with the VPN, but not with web traffic.Basically private networks are not routed in the internet. So there should not any packet with a private source IP hit your WAN. However, as you can see, its on the ISP to route traffic to you and also the ISP itself would be enable access your WAN if private networks are not blocked.
Anyway, if your home WAN address is static, you can allow only this one to access your VPN, or allow the respective IP range used by the ISP. -
@viragomann Both offices are the same ISP, the ISP uses the private subnet when traffic is to their customers.
When the request is directed to a remote internet site, the traffic passes through the internet
However, after my reports, the ISP has changed the configuration and now all traffic passes over the Internet
-
Why not setting up the VPN part at the AVM FB and then
you may be securing your entire LAN behind the AVM
with the pfSense? OPNVPN, WireGuard and IPSec are
all on board as today (if your Fritz!OS is fresh enough!)You connect the AVM FB to the other VPN end, set up
at the AVM FB site also;- Able to open Ports by itself (for the pfSense)
- Give that device even the same IP address
Or set up an static IP address at the pfSense
You should set up at the pfSense site now;
- WAN set up uncheck the private IPs blocking
All should be fine for you now. If there is an NAS, server
or other devices that must be reached from the outside
(Internet) and also from your LAN it is the best to set
them between the AVM FB and the pfSense (real DMZ).It is common, you can VPN to the AVM and use also the
APPs from them and on top you may be able to use the
My!Fritz service from AVM and by side your LAN is secured
anyway by the pfSense.
